Digital forensics deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems. Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.
0bf122d130ac2701097efb0279ea1770e47de47890bfe248c6efa066170e445e
Secunia Security Advisory - A vulnerability has been reported in IBM WebSphere Service Registry and Repository, which can be exploited by malicious people to conduct script insertion attacks.
ce1550069596eaa7ff73bcee52dfee54874c8c09112cfbfd63df226fca87dc48
Iconics GENESIS32 version 9.21.201.01 suffers from an integer overflow vulnerability. The GenBroker service on port 38080 is affected by three integer overflow vulnerabilities while handling opcode 0x4b0, which is caused by abusing the the memory allocations needed for the number of elements passed by the client. This results unexpected behaviors such as direct registry calls, memory location calls, or arbitrary remote code execution. Please note that in order to ensure reliability, this exploit will try to open calc (hidden), inject itself into the process, and then open up a shell session. Also, DEP bypass is supported.
7bae29e02d02057cc61741efd202ae99da696fffbf3d953322faa7fcd5294a22
This Metasploit module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.
74cc3c759347106de31d2f7d447682b88481649a9cdcb47556ef3dc90a7223ae
Dell IT Assistant detectIESettingsForITA.ocx Active-X control readRegVal() remote registry dump exploit.
972fe47b27217c4fe43b9ab5056484e368ca06d298659a3290fa514440134e4e
GrokEVT is a collection of scripts for reading Windows event log files on Unix. The scripts work together on one or more mounted Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.
a9e74aee34e5e451e2940487fc84fcd51ac0c986e96b1681ec9218bf74a94829
RegLookup is a small command line utility for parsing and searching registry files from Windows NT and later.
c9123786bc1be1a714c59e2fabae693d434698ce4d3fc44847cb847bff26b686
RegLookup is a small command line utility for parsing and searching registry files from Windows NT and later.
b7ae9e5c13f949ef958da4cba741067516bbc4c2800e033ff0d6ad4506945406
This windows binary is a lightweight tool for removing strings in the Windows registry.
930084f1b07b611ad257a6cfe7c757a97c1013ed722666b27d57b5aa114e5604
Secunia Security Advisory - A vulnerability has been reported in IBM WebSphere Service Registry and Repository, which can be exploited by malicious people to bypass certain security restrictions.
f4c441bb1c2dd6767bc1e9625817395024182d88e4388acde8d4ddfa3d04c4c0
SmartFTP version 4.0.1142.0, Speak Aloud, The GodFather version 0.80, Vip Rumor Player version 3.7 and Wise Registry Cleaner DLL hijacking exploit.
0a8c2d9a9b6b25e76828d4528d063bf6d6e6d75f8d9314b1a6682e9bf35411b7
Zero Day Initiative Advisory 10-145 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENWorks Remote Management. Access to a single node with Remote Management client installed and configured is required. The specific flaw exists within the storage of Remote Management authentication information on the client. The client utilizes a password stored in the registry that is common among all nodes. This can be exploited by an attacker to execute remote code on any target with the client installed.
8ca0a2ed35cf8c12d8928288cf8e2cccd425210d6feb2ab5d311442100603476
Secunia Security Advisory - Two vulnerabilities have been reported in IBM WebSphere Service Registry and Repository, which can be exploited by malicious people to conduct cross-site scripting attacks.
79cf987873529f97ed8f7b4230964a59228d028873e9e1491052426c3d94a910
HP Security Bulletin - Potential security vulnerabilities have been identified with HP SOA Registry Foundation. The vulnerabilities could be exploited remotely to gain unauthorized access to data, for cross site scripting (XSS), or to escalate privileges.
bbda352244788e6afcab64cbca7d44c84fac053e9dc79db7d466c06de38d3c1e
Secunia Security Advisory - Multiple vulnerabilities have been reported in HP SOA Registry Foundation, which can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions.
1612622b14a877fed699f4406f0eefb5e0ea84611779fe95a94b3aa2afd705d4
RegLookup is a small command line utility for parsing and searching registry files from Windows NT and later.
2efcef5aae5418aac5d3ebe7af46e05349622d4e16ab73186e38b6c28762a94e
This registry code allows any terminal client access to a Terminal Server. It bypasses the Microsoft "Terminal Server License" and allows the client to create a session on the server without a CAL (Client Access License) or MS Open License. It works on WinNT, Win2000, Win2003 server and Win2008 server.
9cec54ca3bf48377115aba5d8a681eeb8b070d26a3b7949518b42ec39e09b6cb
This Metasploit module exploits a registry-based stack overflow in the Windows Routing and Remote Access Service. Since the service is hosted inside svchost.exe, a failed exploit attempt can cause other system services to fail as well. A valid username and password is required to exploit this flaw on Windows 2000. When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'. Exploiting this flaw involves two distinct steps - creating the registry key and then triggering an overwrite based on a read of this key. Once the key is created, it cannot be recreated. This means that for any given system, you only get one chance to exploit this flaw. Picking the wrong target will require a manual removal of the following registry key before you can try again: HKEY_USERS\\\\.DEFAULT\\\\Software\\\\Microsoft\\\\RAS Phonebook
23ee569235c3874d89c2c84da0e57b5ca0d9fd9d118297399485cee1eebf336b
Mandriva Linux Security Advisory 2009-042 - Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows remote authenticated users to access the root filesystem via a crafted connection request that specifies a blank share name. This update provides samba 3.2.7 to address this issue.
efb5f8b23c9eedd417563c173288af30bba7270229333d7b3a27d00d1092a230
Ubuntu Security Notice USN-702-1 - Gunter Hockel discovered that Samba with registry shares enabled did not properly validate share names. An authenticated user could gain access to the root filesystem by using an older version of smbclient and specifying an empty string as a share name. This is only an issue if registry shares are enabled on the server by setting "registry shares = yes", "include = registry", or "config backend = registry", which is not the default.
1f54398ec952d4b39f2110cd81591e592bacac95220038e4c096a6ab8d8ae1ba
Hummingbird Deployment Wizard 2008 with DeployRun.dll versions 10.0.0.44 and below suffer from a registry value creation/change vulnerability.
64592e90a4355f468b611c04f4d156ae3760bf75c7dc2e15f12730716ebb6192
GrokEVT is a collection of scripts for reading Windows event log files on Unix. The scripts work together on one or more mounted Windows partitions to extract all information needed (registry entries, message templates, and log files) to convert the logs to a human-readable format.
01a6114fa008aabd4c84b5eb4af2b43ecb2816c9a7e5408de54d5507d0bf83ab
Registry Pro remote insecure method exploit that makes use of epRegPro.ocx.
7df90c5d8e874b8e50220298a3d3d4af0261dd70bd90d1efa150baef96a938bd
Exploit that demonstrates how the manipulation of a registry key in Microsoft Windows XP SP2 can disable the taskmanager.
72924758a2cd7b2bee11688185242cfe21c6a2f799feebfdf44715eaa66f897b
creddump is a python tool to extract various credentials and secrets from Windows registry hives. It currently extracts LM and NT hashes (SYSKEY protected), cached domain passwords, and LSA secrets. It essentially performs all the functions that bkhive/samdump2, cachedump, and lsadump2 do, but in a platform-independent way.
374120593faeda9eec711d4116574781a467e1b5a0057fa090a5b58d4a9c029e